Platform
wordpress
Component
wp-file-upload
Fixed in
4.24.16
CVE-2024-11613 represents a critical Remote Code Execution (RCE) vulnerability within the WordPress File Upload plugin. This flaw allows unauthenticated attackers to execute code on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the plugin up to and including 4.24.15. A patch is expected to be released by the plugin developers.
The impact of CVE-2024-11613 is severe. Successful exploitation allows an attacker to execute arbitrary code on the web server hosting the WordPress site. This could involve installing malware, stealing sensitive data (user credentials, database contents, configuration files), modifying website content, or even pivoting to other systems on the network. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors. The vulnerability's location within a file download handler ('wfufiledownloader.php') makes it particularly insidious, as attackers can potentially leverage legitimate download functionality to mask their malicious activity.
This vulnerability is considered high probability due to its ease of exploitation and the lack of authentication required. Public proof-of-concept (PoC) code is likely to emerge quickly following public disclosure. The vulnerability was published on 2025-01-08. Monitor CISA KEV listings for potential inclusion. Active exploitation campaigns are possible, particularly targeting vulnerable WordPress installations.
Exploit Status
EPSS
66.12% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11613 is to upgrade the WordPress File Upload plugin to a version with the security patch. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing strict file upload restrictions within WordPress itself (limiting allowed file types and sizes) can reduce the attack surface. Monitor web server access logs for suspicious activity related to 'wfufiledownloader.php', specifically looking for unusual parameters or file requests. After upgrading, confirm the vulnerability is resolved by attempting a controlled code execution test on a staging environment.
Update the WordPress File Upload plugin to the latest available version. This will resolve the Remote Code Execution, Arbitrary File Read, and Arbitrary File Deletion vulnerabilities.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11613 is a critical Remote Code Execution vulnerability in the WordPress File Upload plugin, allowing attackers to execute code on the server without authentication.
You are affected if you are using the WordPress File Upload plugin version 4.24.15 or earlier. Check your plugin version and upgrade immediately.
Upgrade the WordPress File Upload plugin to the latest available version with the security patch. If upgrading is not immediately possible, disable the plugin temporarily.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor your systems closely.
Refer to the WordPress security announcements page and the WordPress File Upload plugin's official website for updates and advisories regarding CVE-2024-11613.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.